[
https://issues.apache.org/jira/browse/CASSANDRA-14925?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16714525#comment-16714525
]
Sylvain Lebresne commented on CASSANDRA-14925:
----------------------------------------------
Can't we just use {{BigDecimal.toString()}} all the time as save ourselves the
trouble of adding yet one more runtime parameter that no user will probably
ever modify?
> DecimalSerializer.toString() can be used as OOM attack
> -------------------------------------------------------
>
> Key: CASSANDRA-14925
> URL: https://issues.apache.org/jira/browse/CASSANDRA-14925
> Project: Cassandra
> Issue Type: Bug
> Components: Core
> Reporter: ZhaoYang
> Assignee: ZhaoYang
> Priority: Minor
>
> Currently, in {{DecimalSerializer.toString(value)}}, it uses
> {{BigDecimal.toPlainString()}} which generates huge string for large scale
> values.
>
> {code:java}
> BigDecimal d = new BigDecimal("1e-" + (Integer.MAX_VALUE - 6));
> d.toPlainString(); // oom{code}
>
> Propose to use {{BigDecimal.toString()}} when scale is larger than 100 which
> is configurable via {{-Dcassandra.decimal.maxscaleforstring}}
>
> | patch | circle-ci |
> | [3.0|https://github.com/jasonstack/cassandra/commits/decimal-tostring-3.0]
> |
> [unit|https://circleci.com/gh/jasonstack/cassandra/747?utm_campaign=vcs-integration-link&utm_medium=referral&utm_source=github-build-link]
> |
> The code should apply cleanly to 3.0+.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
